Configuring PAP and CHAP Authentication

Configure R1 to use PPP encapsulation with R3.

Enter the following commands on R1:
R1(config)# interface s0/0/0
R1(config-if)# encapsulation ppp
Configure PPP PAP Authentication Between R1 and R3.
Note: Instead of using the keyword password as shown in the curriculum, you will use the
keyword secret to provide a better encryption of the password.
a. Enter the following commands into R1:
R1(config)# username R3 secret class
R1(config)# interface s0/0/0
R1(config-if)# ppp authentication pap
R1(config-if)# ppp pap sent-username R1 password cisco
b. Enter the following commands into R3:
R3(config)# username R1 secret cisco
R3(config)# interface s0/0/0
R3(config-if)# ppp authentication pap
R3(config-if)# ppp pap sent-username R3 password class
Configure PPP CHAP Authentication Between R3 and ISP.
a. Enter the following commands into ISP. The hostname is sent as the username:
Router(config)# hostname ISP
ISP(config)# username R3 secret cisco
ISP(config)# interface s0/0/0
ISP(config-if)# ppp authentication chap
b. Enter the following commands into R3. The passwords must match for CHAP
authentication:
R3(config)# username ISP secret cisco
R3(config)# interface serial0/1/0
R3(config-if)# ppp authentication chap

Configuring Static Frame Relay Maps
Configure Frame Relay encapsulation on the S0/0/0 interface of R1.
R1(config)# interface s0/0/0
R1(config-if)# encapsulation frame-relay
Step 1: Configure static Frame Relay maps on R1, R2, and R3.
a. Configure R1 to use static frame relay maps. Use DLCI 102 to communicate
from R1 to R2. Use DLCI 103 to communicate from R1 to R3. The routers must also
support EIGRP multicast on 224.0.0.10; therefore, thebroadcast keyword is required.
R1(config)# interface s0/0/0
R1(config-if)# frame-relay map ip 10.1.1.2 102 broadcast
R1(config-if)# frame-relay map ip 10.1.1.3 103 broadcast
Configure ANSI as the LMI type on R1, R2, and R3.
Enter the following command on the serial interface for each router:
R1(config-if)# frame-relay lmi-type ansi

Configuring Frame Relay Point-to-Point Subinterfaces
Step 1: Configure Frame Relay encapsulation on the S0/0/0 interface of R1.
R1(config)# interface s0/0/0
R1(config-if)# encapsulation frame-relay
R1(config-if)# no shutdown
Step 1: Configure subinterfaces on R1, R2, and R3.
a. Configure R1 to use subinterfaces. DLCI 102 is used to communicate from R1 to R2,
while DLCI 103 is used to communicate from R1 to R3.
R1(config)# interface s0/0/0.2 point-to-point
R1(config-subif)# ip address 10.1.1.1 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 102
R1(config-subif)# interface s0/0/0.3 point-to-point
R1(config-subif)# ip address 10.1.3.2 255.255.255.252
R1(config-subif)# frame-relay interface-dlci 103
b. Add network entries to EIGRP autonomous system 1 to reflect the IP addresses above.
R1(config)# router eigrp 1
R1(config-router)# network 10.1.1.0 0.0.0.3
R1(config-router)# network 10.1.3.0 0.0.0.3
Step 1: Verify the Frame Relay configuration.
Show information about Frame Relay and the connections that have been made. Note the
fields for BECN, FECN, DE, DLCI, and LMI TYPE.
R1# show frame-relay map
R1# show frame-relay pvc
R1# show frame-relay lmi

Configuring Standard ACLs
Step 1: Configure and apply a numbered standard ACL on R2.
a. Create an ACL using the number 1 on R2 with a statement that denies access to the
192.168.20.0/24 network from the 192.168.11.0/24 network.
R2(config)# access-list 1 deny 192.168.11.0 0.0.0.255
b. By default, an access list denies all traffic that does not match a rule. To permit all other
traffic, configure the following statement:
R2(config)# access-list 1 permit any
c. For the ACL to actually filter traffic, it must be applied to some router operation. Apply
the ACL by placing it for outbound traffic on the Gigabit Ethernet 0/0 interface.
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip access-group 1 out
Step 2: Configure and apply a numbered standard ACL on R3.
a. Create an ACL using the number 1 on R3 with a statement that denies access to the
192.168.30.0/24 network from the PC1 (192.168.10.0/24) network.
R3(config)# access-list 1 deny 192.168.10.0 0.0.0.255
b. By default, an ACL denies all traffic that does not match a rule. To permit all other traffic,
create a second rule for ACL 1.
R3(config)# access-list 1 permit any
c. Apply the ACL by placing it for outbound traffic on the Gigabit Ethernet 0/0 interface.
R3(config)# interface GigabitEthernet0/0
R3(config-if)# ip access-group 1 out

Configuring Named Standard ACLs
Step 1: Configure a named standard ACL.
Configure the following named ACL on R1.
R1(config)# ip access-list standard File_Server_Restrictions
R1(config-std-nacl)# permit host 192.168.20.4
R1(config-std-nacl)# deny any
Step 2: Apply the named ACL.
a. Apply the ACL outbound on the interface Fast Ethernet 0/1.
R1(config-if)# ip access-group File_Server_Restrictions out
b. Save the configuration.

Configuring an ACL on VTY Lines
Step 1: Configure a numbered standard ACL.
Configure the following numbered ACL on Router.
Router(config)# access-list 99 permit host 10.0.0.1
Step 2: Place a named standard ACL on the router.
Access to the Router interfaces must be allowed, while Telnet access must be restricted.
Therefore, we must place the ACL on Telnet lines 0 through 4. From the configuration
prompt ofRouter, enter line configuration mode for lines 0 4 and use theaccess-
class command to apply the ACL to all the VTY lines:
Router(config)# line vty 0 4
Router(config-line)# access-class 99 in
Step 3: Verify the ACL configuration and application to the VTY lines.
Use the show access-lists to verify the ACL configuration. Use the show run command to
verify the ACL is applied to the VTY lines.

Configuring Extended ACLs - Scenario 1
Step 1: Configure an ACL to permit FTP and ICMP.
a. From global configuration mode on R1, enter the following command to determine the
first valid number for an extended access list.
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
b. Add 100 to the command, followed by a question mark.
R1(config)# access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
c. To permit FTP traffic, enter permit, followed by a question mark.
R1(config)# access-list 100 permit ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
d. This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP
uses TCP. So you enter TCP. Enter tcp to further refine the ACL help.
R1(config)# access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
e. Notice that we could filter just for PC1 by using the hostkeyword or we could
allow any host. In this case, any device is allowed that has an address belonging to the
172.22.34.64/27 network. Enter the network address, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 ?
A.B.C.D Source wildcard bits
f. Calculate the wildcard mask determining the binary opposite of a subnet mask.
11111111.11111111.11111111.11100000 = 255.255.255.224
00000000.00000000.00000000.00011111 = 0.0.0.31
g. Enter the wildcard mask, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
h. Configure the destination address. In this scenario, we are filtering traffic for a single
destination, the server. Enter thehost keyword followed by the servers IP address.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31
host 172.22.34.62 ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
i. Notice that one of the options is <cr> (carriage return). In other words, you can
press Enter and the statement would permit all TCP traffic. However, we are only
permitting FTP traffic; therefore, enter the eq keyword, followed by a question mark to
display the available options. Then, enterftp and press Enter.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31
host 172.22.34.62 eq ?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31
host 172.22.34.62 eq ftp
j. Create a second access list statement to permit ICMP (ping, etc.) traffic
from PC1 to Server. Note that the access list number remains the same and a specific
type of ICMP traffic does not need to be specified.
R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31
host 172.22.34.62
k. All other traffic is denied, by default.
Step 2: Apply the ACL on the correct interface to filter traffic.
From R1s perspective, the traffic that ACL 100 applies to is inbound from the network
connected to Gigabit Ethernet 0/0 interface. Enter interface configuration mode and apply
the ACL.
R1(config)# interface gigabitEthernet 0/0
R1(config-if)# ip access-group 100 in
Step 1: Configure an ACL to permit HTTP access and ICMP.
a. Named ACLs start with the ip keyword. From global configuration mode of R1, enter the
following command, followed by a question mark.
R1(config)# ip access-list ?
extended Extended Access List
standard Standard Access List
b. You can configure named standard and extended ACLs. This access list filters both
source and destination IP addresses; therefore, it must be extended.
Enter HTTP_ONLY as the name. (For Packet Tracer scoring, the name is case-
sensitive.)
R1(config)# ip access-list extended HTTP_ONLY
c. The prompt changes. You are now in extended named ACL configuration mode. All
devices on the PC2 LAN need TCP access. Enter the network address, followed by a
question mark.
R1(config-ext-nacl)# permit tcp 172.22.34.96 ?
A.B.C.D Source wildcard bits
d. An alternative way to calculate a wildcard is to subtract the subnet mask from
255.255.255.255.
255.255.255.255
- 255.255.255.240
-----------------
= 0. 0. 0. 15
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ?
e. Finish the statement by specifying the server address as you did in Part 1 and
filtering www traffic.
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62
eq www
f. Create a second access list statement to permit ICMP (ping, etc.) traffic
from PC2 to Server. Note: The prompt remains the same and a specific type of ICMP
traffic does not need to be specified.
R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62
g. All other traffic is denied, by default. Exit out of extended named ACL configuration
mode.
Step 2: Apply the ACL on the correct interface to filter traffic.
From R1s perspective, the traffic that access list HTTP_ONLY applies to is inbound from
the network connected to Gigabit Ethernet 0/1 interface. Enter the interface configuration
mode and apply the ACL.
R1(config)# interface gigabitEthernet 0/1
R1(config-if)# ip access-group HTTP_ONLY in